[Owasp-topten] A9 - References - "Addressing Security Concerns in Open Source Components"

Christian Heinrich christian.heinrich at cmlh.id.au
Sun May 26 06:32:34 UTC 2013


Jeff and Dave,

I have reviewed this reference for A9 and have some concerns with it's
content which are:

1. It is *not* a scientific survey since the research conducted by
"Aspect Security"  is of a "sample" provided by
http://www.sonatype.org/central since both these organisation's have a
commercial partnership i.e.
https://www.google.com.au/search?q=sonatype+%22aspect+security%22 and
this is *not* stated on p1 either.

2. The number of download is *not* reflective of the number of
products that implement the Software Component as a dependency.

3. There multiple issues with the "Quantitative Analysis" on p3:

3a. The finding of Veracode's "State of Software Security Report -
Volume 4" indicated that largest requestors of independent
verification of "third-party software" are "Software/IT Services(54%)"
and then "Finance (39%)" in that order.  Therefore Finance is well
aware of this fact and are not "the most exposed" as stated on p3.
Ironically, the "State of Software Security Report - Volume 4" is also
a source of statistics used for 2013 Release Candidate and "Aspect
Security" appear to have deliberately ignored their finding related to
the "Software Security Supply Chain" from p7 onwards.

3b. I'll assume that developers are (security) update aware if their
development environment consists of either Unix and/or Windows since
they would have received security advisories at least once during
their career from either the affected vendor or country's CERT.
Furthermore, it does no provided the business case for this behaviour
i.e. dependency of another software component, significant changes to
API which break backwards compatibility, etc

4. It is unrealistic to expect developer to understand release
management which is the reason that release manager(s) are hired and
this is withheld on p4.  Again, I will refer to the findings
"Software Security Supply Chain" from p7 onwards of Veracode's "State
of Software Security Report - Volume 4" which indicate that
"Software/IT Services" are the largest requestors of independent
verification of third party software.

Can you please remove "Addressing Security Concerns in Open Source
Components" from the list of references please?


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact


More information about the Owasp-topten mailing list